On 11 April 2018 the Article 29 Working Party ('A29WP') published its finalised Guidance on transparency under GDPR.

The revisions to the guidance, which was initially released in December 2017, followed a period of open public consultation that ran until 23 January.

On the whole the amendments are minor, with little backtracking on the more demanding requirements adopted in the draft guidance.

The new points raised by the A29WP are as follows:

More detail on legal basis: In addition to setting out the legal basis for processing, the lawful basis for the processing of special categories of personal data should be specified. Similarly, where data related to criminal convictions is processed the relevant EU or Member State law pursuant to which the processing is carried out should be noted.

Legitimate interest: In addition to specifying the specific interest which the controller relies on, it should be made clear that the individual can obtain further information on the legitimate interest balancing exercise on request, to the extent this information is not already set out in the notice.

Naming recipients: One of the most controversial aspects of the draft guidance was the requirement for controllers to name recipients of the data (including data processors). This requirement is substantially retained: controllers must provide information on recipients which is most meaningful to the individual which the A29WP state will generally be the named recipients. Where a controller chooses to name only categories of recipients the Working Party requires this be as specific as possible indicating the type of recipient, the industry, sector and sub-sector and the recipients’ location.

International transfers: In the draft guidance, the A29WP mandated that the notice explicitly mention all third countries to which the data will be transferred. The finalised guidance adopts more qualified language, although the effect is largely the same, requiring that detail on third country transfers be as meaningful as possible which according to the Working Party will generally mean that third countries be named.

Surprises should be avoided: The A29WP reminds us that central to transparency is that individuals should not be taken by surprise as to how their data has been used. Controllers should therefore assess whether there are particular risks involved in their processing which should be flagged to the individual in the notice.

Children’s right to transparency: Children don't lose the right to transparency because a parent gives consent on a child’s behalf. Controllers should ensure that where they target children or where they are aware their products or services are used by children, the notice should be presented in a way the child can understand. Sensibly for very young/pre-literate children, the notice can also be addressed to the parents. Where relevant, Controllers also need to consider how to make their notices accessible to children with the Working Party giving examples such as use of comics/cartoons, pictograms and animations amongst other measures.

All in one place: All privacy information addressed to individuals should be available in one place, or one complete document reflecting the A29WP’s earlier position that the individual shouldn’t have to work to find the information.

Changes to privacy notice: It is insufficient and unfair to state in the privacy notice that individuals should regularly check for updates to the notice. As in the draft guidance the Working Party make clear that the onus is on the controller to communicate changes to the notice, and in a way that takes 'all measures necessary' to bring the specific changes to the individual's attention (such communications should also be separate from direct marketing content). The A29WP give non-exhaustive examples of changes to a privacy notice which should always be communicated to an individual, these include: a change in the processing purpose, a change in the controller's identity, and changes as to how an individual can exercise their rights.

Updates for GDPR: The Working Party recommends that any changes or additions made to notices to align them with GDPR are actively brought to the individual's attention. Interestingly - perhaps in an effort to avoid information overload ahead of 25 May - the Working Party suggest that as a minimum controllers make their updated notices publically available (for example via their website). Where the updates are material or substantive, active communication to individuals is required.

Privacy reminders: In line with the GDPR principle of accountability, controllers should consider whether, and at what intervals, it is appropriate to provide reminders to individuals of the privacy notice and where it can be found.

Clarity on layered notices: The A29WP clarify that layered notices aren’t exclusive to the online environment: for example where the first communication with the individual is by telephone the first layer of information could be delivered over the phone with the balance provided via email. The Working Party’s guidance on the content of the first layer of information slightly differs depending on when information is deployed in a non-digital or in a digital environment: in a non-digital environment the A29WP recommends that the first layer of a layered notice should include the purposes of the processing, identity of the controller, and the existence of the individual’s rights together with other information that has most impact on the individual. In a digital environment the A29WP provides that in addition there should be “a description” of the individual’s rights. Furthermore the A29WP underlines that in an online environment the first layer of information should be directly brought to the attention of a data subject at the time of collection of the personal data e.g. displayed as a data subject fills in an online form.

Restrictions on data subject rights: Where national implementing legislation qualify or restrict the data subjects rights, the controller must notify individuals of any qualification to their rights which the controller may rely on.

Exemptions: The A29WP suggest that the narrow exemption to providing notice where it would be impossible or involve disproportionate effort will be particularly relevant for processing for archiving in the public interests, scientific or historical research or statistical purposes. This exemption should not be routinely used by controllers who are not processing data for these purposes.

The revised guidance on transparency is available here.

We set out below an updated summary of the information to be provided pursuant to Articles 13 and 14 GDPR, with amendments from the finalised A29WP Guidance in underline for reference.

For a redline comparison with the earlier draft, click here.

Required Information (Article 13 and 14 GDPR)

WP29 Comments

The identity and contact details of the Controller and their representative (where applicable).

This should allow for easy identification of the Controller.

A29WP states the controller should also allow for different channels of communication (e.g. phone, email, postal address etc.).

Contact details for the data protection officer, where applicable.

The purposes and legal basis for the processing.

A29WP states that that the purposes should be set out together with the relevant lawful basis relied on. Where special categories of personal data are processed, the lawful basis in Article 9 GDPR should be specified (or other EU or Member State law where relevant). Where criminal conviction and offence data are processed, the relevant EU or Member State law on which the processing is carried out should be noted.

Where legitimate interests is the legal basis, the legitimate interests pursued by the Controller or a third party.

This should include the specific legitimate interest on which the Controller or the third parties are relying. It is also best practice to provide the individual with details of the legitimate interest balancing test. In practice, this may not be the easiest information to summarise succinctly in policies and to avoid information overload the A29WP suggest that this could be included by way of layered notice. The notice must state the individual can obtain further information on the legitimate interest balancing exercise on request, to the extent this information is not contained in the notice.

The categories of personal data

Technically listing categories of data is only required under Article 14 GDPR where the data has not been obtained from the individual directly.

Recipients (or categories of recipients) of the personal data.

Controllers must provide information on recipients which is most meaningful to the individual which the A29WP state will generally involve naming recipients. Recipients include controllers, joint controllers and processors. Where a controller chooses to name only categories of recipients, this should be as specific as possible indicating the type of recipient, the industry, sector and sub-sector and the recipients’ location.

Details of transfers outside the EU: including how the data will be protected and how the individual can obtain a copy of the safeguards, or where such safeguards have been made available.

The relevant GDPR article permitting the transfer and the corresponding adequacy mechanism should be specified. Where possible, a link to the adequacy mechanism used or information on where the document may be accessed should be included. The principle of fairness requires the information provided on transfers to third countries should be as meaningful as possible to individuals; according to the A29WP this will generally mean that third countries should be named.

The retention period (or if not possible, criteria used to determine that period).

According to the A29WP it is not sufficient for the controller to generically state data will be kept as long as necessary for the legitimate purpose. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods. This will be one of the more difficult GDPR notice requirements, particularly for controllers that don't currently have developed retention policies.

The rights of the data subject to access; rectification; erasure; restriction, objection and portability.

This information should include a summary of what the relevant right involves and how the individual can take steps to exercise it. Where national implementing legislation qualify or restrict the data subjects' rights, the controller must notify individuals of any qualification to their rights which the controller may rely on. The right to object to processing must be explicitly brought to the individual's attention at the latest at the time of first communication and must be presented clearly and separately from other information. More generally the A29WP stresses that the principle of transparency also applies when communicating with individuals in relation to their rights or facilitating these rights.

Where processing is based on consent the right to withdraw consent at any time.

The right to lodge a complaint with a supervisory authority.

Including that the individual can bring the complaint in their Member State of residence, place of work or of an alleged breach of GDPR.

Whether there is a statutory or contractual requirement to provide the information or whether it is necessary to enter into a contract or whether there is an obligation to provide the information and the possible consequences of failure.

E.g. an employee may need to provide information to an employer pursuant to a contractual requirement (e.g. bank details to facilitate payment of wages). Online forms should clearly identify which fields are 'required', which ones are not, and the consequences for failing to provide the information.

The source from which the personal data originate, and if applicable, whether it came from a publicly accessible source.

Specific sources of data to be provided unless not possible. However, the A29WP does not (in contrast to recipients above) state that the data sources have to be named, therefore arguably generic descriptions of the source may suffice. Details should include the nature of the sources (i.e. publicly/ privately held sources; the types of organisation/ industry/ sector; and where the information was held (EU or non-EU) etc.).

The existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject.

This rule captures solely automated decisions that have a significant or legal effect on individuals. The A29WP also remind us that the principle of transparency and of individuals not being taken by surprise, also applies to profiling activities more generally.